Brute force - password guessing - attacks are very common against web sites and web servers. They are
one of the most common vectors used to compromise web sites. The process is very simple and the
attackers basically try multiple combinations of usernames and passwords until they find one that works.

Once they get in, they can compromise the web site with malware, spam , phishing or anything else they want.

Brute Force Targets

Any website with a login page is a target, but the following are the most commonly attacked pages via brute-force:

WordPress wp-admin/wp-login.php login pages.

Joomla /administrator/.

Drupal /admin/.

Magento /index.php/admin/.

vBulletin /admincp/.

Generic /login pages.

Username and Passwords

Most attacks rely on a dictionary of the most commonly used usernames and passwords and try all of them. They also permutate
entries related to the web site domain and content to increase their success.

We have a few blog posts with more information about it, but these are the top used passwords:

And that is just a few entries. Most attacks try thousands of password combinations.

Brute Force Protection

Humans are very bad at choosing passwords and that`s what these attacks try to exploit. You can minimize
the risks by rate limiting login attempts, choosing good passwords and restricting access to the admin
pages to only white listed IP addresses.

Any client using CloudProxy is already automatically protected. We
restrict access to the login pages to only authorized IP addresses and we also have a brute force detection
included that blocks an IP address after too many failed login attempts.